Login Sign Up

CVE-2022-36129

9.1 CRITICAL
Authentication Bypass Denial of Service

📋 TL;DR

HashiCorp Vault Enterprise clusters using Integrated Storage expose an unauthenticated API endpoint that allows attackers to override a node's voter status in HA clusters. This could lead to cluster instability, data loss, or catastrophic failure. Affects Vault Enterprise 1.7.0 through 1.9.7, 1.10.4, and 1.11.0.

💻 Affected Systems

Products:
  • HashiCorp Vault Enterprise
Versions: 1.7.0 through 1.9.7, 1.10.4, and 1.11.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects clusters using Integrated Storage with HA configuration enabled.

📦 What is this software?

Vault by Hashicorp

View all CVEs affecting Vault →

Vault by Hashicorp

View all CVEs affecting Vault →

Vault by Hashicorp

View all CVEs affecting Vault →

Vault by Hashicorp

View all CVEs affecting Vault →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete cluster failure leading to data loss, service disruption, and potential compromise of all secrets stored in Vault.

🟠

Likely Case

Cluster instability, degraded performance, and potential data inconsistency across nodes.

🟢

If Mitigated

Limited impact if proper network segmentation and authentication controls prevent access to the vulnerable endpoint.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to the vulnerable API endpoint but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.8, 1.10.5, and 1.11.1

Vendor Advisory: https://discuss.hashicorp.com/t/hcsec-2022-15-vault-enterprise-does-not-verify-existing-voter-status-when-joining-an-integrated-storage-ha-node/42420

Restart Required: Yes

Instructions:

1. Backup Vault data and configuration. 2. Upgrade to Vault Enterprise 1.9.8, 1.10.5, or 1.11.1. 3. Restart Vault services. 4. Verify cluster health and voter status.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict network access to Vault API endpoints to trusted sources only.

iptables -A INPUT -p tcp --dport 8200 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 8200 -j DROP

🧯 If You Can't Patch

  • Implement strict network ACLs to limit access to Vault API endpoints
  • Monitor cluster logs for unauthorized voter status changes

🔍 How to Verify

Check if Vulnerable:

Check Vault version with 'vault version' command and verify if using affected versions with Integrated Storage HA.

Check Version:

vault version

Verify Fix Applied:

Verify version is 1.9.8, 1.10.5, or 1.11.1 and test cluster stability after patch.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected voter status changes in cluster logs
  • Unauthorized API calls to voter status endpoints

Network Indicators:

  • Unusual traffic to Vault API port 8200 from untrusted sources

SIEM Query:

source="vault" AND ("voter status" OR "cluster join")

📊 Metadata

CVE ID: CVE-2022-36129
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CWE: CWE-306
Published: July 26, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-36129, you might also want to check these:

CVE-2025-32433 10.0

This CVE describes a critical vulnerability in Erlang/OTP's SSH server that allows unauthenticated r...

Same vulnerability type (CWE-306)
CVE-2026-23693 10.0

The ElementsKit Lite WordPress plugin versions before 3.7.9 expose an unauthenticated REST endpoint ...

Same vulnerability type (CWE-306)
CVE-2025-58083 10.0

The General Industrial Controls Lynx+ Gateway has a critical authentication bypass vulnerability in ...

Same vulnerability type (CWE-306)